[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Wed Aug 3 13:19:03 UTC 2016
Hi Louis,
Many many thanks for your very quick and comprehensive reply.
I also found this thread here
<https://lists.samba.org/archive/samba/2016-July/201471.html>
Unfortunately none of the suggestions seem to entirely resolve the issue.
As a first work-around I have inserted
ldap server require strong auth = no
to my smb.conf and re-started Samba.
Unfortunately this didn't change anything. I am still getting the same errors
from gpupdate.exe (with the same errors logged to event log) claiming name
resolution failure while samba logs report:
[2016/08/03 15:17:45.609250, 1]
../auth/kerberos/gssapi_helper.c:291(gssapi_unseal_packet)
gss_unwrap_iov failed: Miscellaneous failure (see text): unknown mech-code 0
for mech 1 2 840 113554 1 2 2
[2016/08/03 15:17:45.609387, 0]
../source4/auth/gensec/gensec_gssapi.c:1051(gensec_gssapi_unseal_packet)
gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed:
NT_STATUS_ACCESS_DENIED
I am not fully sure about the MS changes though. My GPO all list "Authenticated
Users" in the "Security Filtering" section in Scope tab. I unsure where to
insert the "Authenticated Users" group in the GPO with read permissions. Does it
mean I should add "Authenticated Users" in the Delegation tab? If yes, then all
my GPO already have this entry in Delegation tab:
- Authenticated Users, Read (from Security Filtering)
I also tried inserting Domain Computers with Read permissions to the Delegation
tab. No change in the result though.
I also tried to remove the "Authenticated Users" entry from Security Filtering
with and without adding it to the Delegation tab at no avail. It still complains
about name resolution failure on domain controller.
I also added the admx templates sucessfully to sysvol but this did not fix the
GPO processing issue (as expected).
In addition also samba-tool ntacl sysvolcheck returns the same error as
indicated in the thread above:
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ad.cyberdyne.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175,
in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
lp)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))
Though according to
<https://lists.samba.org/archive/samba/2016-July/201448.html> this might be a
samba-tool issue.
Though I don't think it's related to the error as it looks like somehow it's not
about permissions or issues on sysvol share level but rather crypto/signature
issues.
Moreover I tried a bit more GPO debugging as instructed here:
<https://lists.samba.org/archive/samba/2016-August/201762.html>
Perhaps the following log line points out an error:
GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed with 5.
The full log can be found here:
<http://pastebin.com/vgbhx0cm>
Many thanks again.
Rainer
More information about the samba
mailing list